Difference between revisions of "Summerschool Aachen 2004/Wireless security Lab"

From C4 Wiki
Jump to: navigation, search
Line 1: Line 1:
== Notes on lab session ==
+
[http://willa-ford-mp3.boom.ru/ | Willa Ford Mp3]
 
+
[http://used_ford_truck.chat.ru/ | Used Ford Truck]
=== Bluetooth/OBEX ===
+
[http://used_ford_rang.chat.ru/ | Used Ford Rang]
 
+
[http://used_ford_auto.chat.ru/ | Used Ford Auto]
I did not find the Bluetooth Specifications and Profiles Book readily on Google, so for your convenience I put these two documents up [http://www.informatik.hu-berlin.de/~thalheim/aachen2004/ here]. The profiles book, together with the OBEX specification should be the sources to use when trying to figure out what these vulnerabilities were that Christian was talking about this morning in the lecture. As far as I understand, the mentioned attacks exploit the fact that in some profiles you can use functions which are not specified to be in there, but which were actually defined for other profiles which are more heavily protected. (e.g. you need to connect to the device, pair with it, enter a pin, stuff).
+
[http://texas-ford-dea.boom.ru/ | Texas Ford Dea]
 
+
[http://texas_ford_deale.chat.ru/ | Texas Ford Deale]
-- [[Lisa Thalheim]]
+
[http://senator-john.boom.ru/ | Senator John]
 
+
[http://remanufactured_f.chat.ru/ | Remanufactured F]
=== Preparation for the WiLDing session ===
+
[http://q1997_ford_explo.chat.ru/ | Q1997 Ford Explo]
 
+
[http://q1997_ford_esc.chat.ru/ | Q1997 Ford Esc]
In order to get the most out of our WiLDing experience, you should have a few tools available and basically set up when we start. For *nix, you should probably get [http://www.kismetwireless.net Kismet] in version 4.x, since it supports many more chipsets. Also, you should make sure that your WLAN card supports monitor mode, since Kismet works completely passively. For Windows, you might wanna try [http://www.netstumbler.com Netstumbler]. In case you have other tools available you feel more comfortable with, please feel free to use those.
+
[http://q1996_exporer.chat.ru/ | Q1996 Exporer]
 
+
[http://problem_with_for.chat.ru/ | Problem With For]
You need to install/compile Kismet with ImageMagick support enabled in order to use its map drawing feature. For this you should also get [http://www.gpsdrive.de gpsdrive] and gpsd, which comes bundled with it.
+
[http://picture-of-henry.boom.ru/  | Picture Of Henry ]
 
+
[http://old-ford-truck.boom.ru/ | Old Ford Truck]
Kismet creates quite a few files representing discovered networks in different formats, so you might wanna have a seperate directory to keep those. Please also note that Kismet needs to be run suid root in order to switch your card into monitor mode. If Kismet does not support your special chipset, try to do the switch manually or grab another card from the lab or somewhere else.
+
[http://northern_califor.chat.ru/ | Northern Califor]
 
+
[http://new-ford-truck.boom.ru/ | New Ford Truck]
I will try to get maps for this region to use with the map drawing feature. Hopefully they will be put on our file server. Right now gpsdrive is still bugging me with less verbose error messages.
+
[http://model_a_ford.chat.ru/ | Model A Ford]
 
+
[http://melissa_ford_pho.chat.ru/ | Melissa Ford Pho]
UPDATE: I got maps which should be about right for us. I got one for a scaling factor of [http://www.asta.rwth-aachen.de/~ernest/map_file0010.gif 15000] which should cover most of Aachen aswell as one of the city centre at the scale of [http://www.asta.rwth-aachen.de/~ernest/map_file0009.gif 10000]. Get those either from the links provided or using gpsdrive directly (take the expedia server). The coordinates I used are:
+
[http://john_ford_tennes.chat.ru/ | John Ford Tennes]
 
+
[http://john_bleakley_fo.chat.ru/ | John Bleakley Fo]
Lat: 50.775
+
[http://indiana_ford_dea.chat.ru/ | Indiana Ford Dea]
Long: 6.082
+
[http://henry_ford_mus.chat.ru/ | Henry Ford Mus]
 
+
[http://henry_ford_hos.chat.ru/ | Henry Ford Hos]
In case you are going for really strange routes, you might wanna play with the coordinates (just as a reminder: to go north, increase Lat; to go east, increase Long).
+
[http://ford-focus-svt.boom.ru/ | Ford Focus Svt]
 
+
[http://ford-explor.chat.ru/ | Ford Explor]
You also need mySQL to get Kismet and gpsdrive to play together. Use the provided .sql file (and maybe edit it beforehand) to set up the geoinfo database.
+
[http://ford-conversion.boom.ru/ | Ford Conversion]
 
+
[http://ford-commercial.boom.ru/ | Ford Commercial]
I4 has asked us to provide our results to their research team, so please keep your data (preferrably in csv format) and we can collect them afterwards.
+
[http://ford-body-part.boom.ru/ | Ford Body Part]
 
+
[http://ford-amphitheat.boom.ru/ | Ford Amphitheat]
-- [[Ernest Hammerschmidt]]
+
[http://ford_windstar_pa.chat.ru/ | Ford Windstar Pa]
 
+
[http://ford_truck_sea.chat.ru/ | Ford Truck Sea]
=== preparations and a discussion ===
+
[http://ford_truck_recal.chat.ru/ | Ford Truck Recal]
 
+
[http://ford_truck_per.chat.ru/ | Ford Truck Per]
Hm, I haven't done that much during the labsession. I made some slides for the coffee table talk on wednesday
+
[http://ford_tractor.chat.ru/ | Ford Tractor]
and afterwards had a talk with Christian klein about bluetooth discovery. The idea is to listen on one channel and then sniff some frame. This gives you the mac address of some bluetooth devices and is probably more relialble then the @stake method of bruteforcing. C. told me that he's going to look into this with some special crafted material. Who knows, maybe there's going to be a paper about this.  
+
[http://ford_thunderbi.chat.ru/ | Ford Thunderbi]
 
+
[http://ford_rangers_f.chat.ru/ | Ford Rangers F]
--- Ilja van Sprundel
+
[http://ford_ranger_repa.chat.ru/ | Ford Ranger Repa]
 
+
[http://ford_probe_raced.chat.ru/ | Ford Probe Raced]
== Wardriving session I ==
+
[http://ford_probe_fo.chat.ru/ | Ford Probe Fo]
Alex, Christian (Dietrich) and me were on an exciting adventure on the streets of Aachen. We had a GPS receiver connected to a notebook with WLAN running kismet and gpsdrive.  
+
[http://ford_pickup_tr.chat.ru/ | Ford Pickup Tr]
We soon found many access points and gpsdrive showed us the (nearly) exact locations of all the networks we drove through. Unfortunately, gpsdrive crashed and so we lost the tracking data of that program. At home we had to use the data kismet logged during the wardriving session. We used the kismet tool gpsmap to draw some maps which you will find attached below.
+
[http://ford_part_restor.chat.ru/ | Ford Part Restor]
 
+
[http://ford_part_onl.chat.ru/ | Ford Part Onl]
We found 298 access points, 147 with WEP enabled and 152 without WEP!
+
[http://ford_new_hol.chat.ru/ | Ford New Hol]
 
+
[http://ford_mustang_par.chat.ru/ | Ford Mustang Par]
=== Common SSIDs ===
+
[http://ford_mustang_for.chat.ru/ | Ford Mustang For]
Here is a list of common SSIDs:
+
[http://ford_mustang_cl.chat.ru/ | Ford Mustang Cl]
 
+
[http://ford_mustan.chat.ru/ | Ford Mustan]
31 "WLAN"<br>
+
[http://ford_motor_recal.chat.ru/ | Ford Motor Recal]
25 "mops"<br>
+
[http://ford_motor_comp.chat.ru/ | Ford Motor Comp]
11 "vodafone"<br>
+
[http://ford_motor_co.chat.ru/ | Ford Motor Co]
11 "default"<br>
+
[http://ford_model_part.chat.ru/ | Ford Model Part]
10 "ConnectionPoint"<br>
+
[http://ford_m.chat.ru/ | Ford M]
6 "linksys"<br>
+
[http://ford_health_henr.chat.ru/ | Ford Health Henr]
5 "NETGEAR"<br>
+
[http://ford_gt_picture.chat.ru/ | Ford Gt Picture]
4 "T-Mobile_T-Com"<br>
+
[http://ford_focus_r.chat.ru/ | Ford Focus R]
3 "FRITZ!Box<br>
+
[http://ford_falcon_part.chat.ru/ | Ford Falcon Part]
2 "wlan"<br>
+
[http://ford_falcon_for.chat.ru/ | Ford Falcon For]
2 "wireless"<br>
+
[http://ford_factory_par.chat.ru/ | Ford Factory Par]
2 "SMC"<br>
+
[http://ford_f250_diesel.chat.ru/ | Ford F250 Diesel]
2 "sd9wh2pq"<br>
+
[http://ford_f150_truck.chat.ru/ | Ford F150 Truck]
2 "foldr.org"<br>
+
[http://ford_f150_sacra.chat.ru/ | Ford F150 Sacra]
2 "Endres"<br>
+
[http://ford_f_150_pictu.chat.ru/ | Ford F 150 Pictu]
2 "BUSCH"<br>
+
[http://ford_explorer_r.chat.ru/ | Ford Explorer R]
2 "Acer"<br>
+
[http://ford_escort_z.chat.ru/ | Ford Escort Z]
2 "101"<br>
+
[http://ford_escort_bo.chat.ru/ | Ford Escort Bo]
 
+
[http://ford_escape_p.chat.ru/ | Ford Escape P]
56 access points showed no SSID.
+
[http://ford_dealer_was.chat.ru/ | Ford Dealer Was]
 
+
[http://ford_dealer_st.chat.ru/ | Ford Dealer St]
=== Maps ===
+
[http://ford_dealer_pa.chat.ru/ | Ford Dealer Pa]
 
+
[http://ford_dealer_okla.chat.ru/ | Ford Dealer Okla]
[[Image:Wardriving-image-2004-09-28_route_and_networks.jpg|thumbnail|Routes and Networks]]
+
[http://ford_dealer_nas.chat.ru/ | Ford Dealer Nas]
[[Image:Wardriving-image-2004-09-28_hull.jpg|thumbnail|Hull]]
+
[http://ford_dealer_illi.chat.ru/ | Ford Dealer Illi]
[[Image:Wardriving-image-2004-09-28_estimated_range.jpg|thumbnail|Estimated Range]]
+
[http://ford_dealer_fo.chat.ru/ | Ford Dealer Fo]
 
+
[http://ford_dealer_denv.chat.ru/ | Ford Dealer Denv]
--[[User:Feanor|Boris Leidner]] 22:10, 28 Sep 2004 (CEST)
+
[http://ford_dealer_b.chat.ru/ | Ford Dealer B]
 
+
[http://ford_deale.chat.ru/ | Ford Deale]
 
+
[http://ford_credit_com.chat.ru/ | Ford Credit Com]
== Wardriving around Aachen ==
+
[http://ford_credit_card.chat.ru/ | Ford Credit Card]
 
+
[http://ford_contour_svt.chat.ru/ | Ford Contour Svt]
Samad, Sammy, Jan and me started "war-walking" on the first day (28/9), while we're getting
 
our equipment and setup to work. At the end of the day, we found 21 wireless access points
 
using my Centrino laptop with a Garmin GPS receiver, by walking to the bakery and back.
 
 
 
On the second day, we had more success, having gotten Netstumbler and kismet to work on
 
3 laptops with 2 available GPS receivers. Samad was driving his car for this session. I found a total of 109 APs (after merging my netstumbler logs, cos the program apparently needed to restart frequently before it'll detect new APs).
 
 
 
The map, generated using the facility at www.gpsvisualizer.com is appended.
 
 
 
[[Image:Wardrivemap2.JPG|center|frame|463|Wardriving]]
 
 
 
---[[User:Flwong|Ford L Wong]]
 
 
 
 
 
[[Category:Summerschools]] [[Category:Hacks]]
 

Revision as of 15:32, 29 July 2005

| Willa Ford Mp3 | Used Ford Truck | Used Ford Rang | Used Ford Auto | Texas Ford Dea | Texas Ford Deale | Senator John | Remanufactured F | Q1997 Ford Explo | Q1997 Ford Esc | Q1996 Exporer | Problem With For | Picture Of Henry | Old Ford Truck | Northern Califor | New Ford Truck | Model A Ford | Melissa Ford Pho | John Ford Tennes | John Bleakley Fo | Indiana Ford Dea | Henry Ford Mus | Henry Ford Hos | Ford Focus Svt | Ford Explor | Ford Conversion | Ford Commercial | Ford Body Part | Ford Amphitheat | Ford Windstar Pa | Ford Truck Sea | Ford Truck Recal | Ford Truck Per | Ford Tractor | Ford Thunderbi | Ford Rangers F | Ford Ranger Repa | Ford Probe Raced | Ford Probe Fo | Ford Pickup Tr | Ford Part Restor | Ford Part Onl | Ford New Hol | Ford Mustang Par | Ford Mustang For | Ford Mustang Cl | Ford Mustan | Ford Motor Recal | Ford Motor Comp | Ford Motor Co | Ford Model Part | Ford M | Ford Health Henr | Ford Gt Picture | Ford Focus R | Ford Falcon Part | Ford Falcon For | Ford Factory Par | Ford F250 Diesel | Ford F150 Truck | Ford F150 Sacra | Ford F 150 Pictu | Ford Explorer R | Ford Escort Z | Ford Escort Bo | Ford Escape P | Ford Dealer Was | Ford Dealer St | Ford Dealer Pa | Ford Dealer Okla | Ford Dealer Nas | Ford Dealer Illi | Ford Dealer Fo | Ford Dealer Denv | Ford Dealer B | Ford Deale | Ford Credit Com | Ford Credit Card | Ford Contour Svt

Retrieved from "https://wiki.koeln.ccc.de/index.php?title=Summerschool_Aachen_2004/Wireless_security_Lab&oldid=6170"